Skip to main content
Jorge Bernhardt Jorge Bernhardt
  1. Posts/

How to create a Group Managed Service Accounts (gMSA)

·410 words·2 mins· 100 views · 5 likes ·
Install-ADServiceAccount Microsoft Microsoft Windows New-ADServiceAccount

In this post, I want to show you how to create and use Group managed service accounts (gMSA). Before starting, I would like to identify the basic concepts and requirements.

Basic concepts>

Basic concepts #

  • They can be used only on Servers running Windows Server 2012 or later.
  • You can use the same Managed service account across multiple servers.
  • Managed group service accounts are stored in the managed service account container of the active directory.

Requirements #

All cleared. Now we can start.

Create the Managed Service Account in Active Directory>

Create the Managed Service Account in Active Directory #

To create a gMSA with PowerShell, use the New-ADServiceAccount cmdlet with the following syntax:

New-ADServiceAccount `
    -Name <String> `
    -Description <String> `
    -DNSHostName <String> `
    -ManagedPasswordIntervalInDays <Int32> `
    -PrincipalsAllowedToRetrieveManagedPassword <ADPrincipal[]> `
    -Enabled $True | $False `

Run the following PowerShell command as administrator. The correct execution of the command returns the active directory object.

As mentioned above, The new gMSA is located in the Managed Service Accounts container.


Parameters #

  • -DNSHostName Defines the DNS hostname of service.
  • -ManagedPasswordIntervalInDays Specifies the number of days for the password change interval.
  • -PrincipalsAllowedToRetrieveManagedPassword Specifies the group of servers that can use a group managed service account. If the group defined in this parameter has been created by you, it is important to restart the host before installing the gMSA.
Install the gMSA on the host>

Install the gMSA on the host #

The Install-ADServiceAccount cmdlet installs an existing gMSA on the server on which the cmdlet is run. Use the cmdlet with the following syntax:

Install-ADServiceAccount `
    -Identity <ADServiceAccount>

Run the following PowerShell commands as administrator.

The Test-ADServiceAccount cmdlet tests that the specified service account is ready for use.

Test-AdServiceAccount `
    -Identity <ADServiceAccount>

You can now use the gMSA for a service, a group of IIS applications, or a scheduled task. To do this, you must use the name of the account with $ at the end and leave the password blank.

Group Managed Service Accounts
Group Managed Service Accounts

If you want to know more about Group managed service accounts, check out this link.